2012's worst security exploits, fails and blunders

A fool and his feeble p@$$w0rd are soon rooted, but if 2012 has proven anything, it's that even the most cautious security-minded souls need to double down on their protective practices, and think about the best ways to mitigate damage if the worst happens in our increasingly cloud-connected world.

A solid security toolbox should form the heart of your defense, of course, but you'll also need to consider your basic behavior. For example, a leaked LinkedIn password does little harm if that particular alphanumeric combination only opens the door to that particular account, rather than every social media account you use. Two-factor authentication can stop a breach before it happens. And do your passwords suck?

I'm not trying to scare you. Rather, I'm interested in opening your eyes to the types of precautions that are necessary in the digital age—as evidenced by the biggest security exploits, blunders, and fails of 2012. 'Twas a banner year for the bad guys.

Honan hack attack

Honan's disaster was magnified by his lack on physical backups.

The highest profile hack of 2012 didn't involve millions of users or an avalanche of pilfered payment information. No, the security highlight—or is that lowlight?—of 2012 was the epic hacking of a single man: Wired writer Mat Honan.

Over the course of a single hour, hackers gained access to Honan's Amazon account, deleted his Google account, and remotely wiped his trio of Apple devices, culminating in the hackers ultimately achieving their end goal: seizing control of Honan's Twitter handle. Why all the destruction? Because the @mat Twitter handle's three-letter status apparently makes it a highly coveted prize. (The malcontents posted several racist and homophobic tweets before the account was temporarily suspended.)

The devastation was all made possible by security snafus on Honan's end—daisy-chaining critical accounts, a lack of two-factor authentication activation, using the same basic naming scheme across several email accounts—and conflicting account security protocols at Amazon and Apple, which the hackers took advantage of with the help of some good ol' fashioned social engineering.

The Flame virus

The Flame virus takes its name from its code.

Traced as far back as 2010 but only discovered in May of 2012,the Flame virus bears a striking similarity to the government-sponsored Stuxnet virus, with a complex code base and a primary use as an espionage tool in Middle Eastern countries like Egypt, Syria, Lebanon, Sudan, and (most frequently) Iran.

Once Flame sunk its hooks into a system, it installed modules that could, amongst other things, record Skype conversations or audio of anything happening near the computer, snag screenshots, snoop on network connections, and keep logs of all keypresses and any data entered into input boxes. It's nasty, in other words—and Flame uploaded all the information it collected to command and control servers. Shortly after Kaspersky researchers sussed out Flame's existence, the virus' creators activated a kill command to wipe the software from infected computers.

Scary stuff, to be sure. Perhaps more worrying was Onity's response to the situation, which was basically "Put a plug over the port and change the screws."

The company eventually developed an actual solution for the vulnerability, but it involves swapping out the circuit boards of affected locks—and Onity refuses to foot the costs for doing so. A December ArsTechnica report suggests the company may be more willing to subsidize replacement boards in the wake of the Texas crime spree, though as of November 30th, Onity had only supplied a total of 1.4 million "solutions for locks"—including those plastic plugs—to hotels globally. In other words, the vulnerability is still very widespread. Epic fail.

What's the takeaway? You can't trust a website to keep your password safe, so you should use different passwords for different sites to minimize the potential damage if hackers do manage to puzzle out your login credentials for a given account. Check out our guide to building a better password if you need some pointers.

Dropbox drops its guard

DropboxDropbox's "open box" logo proved all too true for people who reused passwords in 2012.

Back in July, some Dropbox users began noticing that they were receiving a large amount of spam in their inboxes. After some initial denials followed by some deeper digging, Dropbox found that hackers had compromised an employee's account and gained access to a document containing user email addresses. Oops! The damage was minor, but the egg in the face was major.

At the same time, a very small number of users had their Dropbox accounts actively broken into by outside sources. Investigations revealed that the hackers gained access to the accounts because the victims were reusing the same username/password combination across several websites. When the login credentials were leaked in a breach at another service, the hackers had all they needed to unlock the Dropbox accounts.

Dropbox's woes highlight—again—the need to use separate passwords for different services, as well as the fact that you can't trust the cloud completely yet. You can take cloud security into your own hands with the help of a third-party encryption tool.

Millions of South Carolina SSNs pilfered

Speaking of encryption, it would be nice if the government followed basic security principals.

After a massive October data breach resulted in a hacker obtaining the social security numbers of a whopping 3.6 million South Carolina citizens—in a state with just 4.6 million residents!— state officials tried placing the blame at the feet of the IRS . The IRS doesn't specifically require states to encrypt the SSNs in tax filings, you see. So South Carolina didn't—though it plans to start now, hindsight being 20/20 and all.

On the kinda positive side, debit and credit card details of 387,000 South Carolina citizens were also swiped in the digital heist and most of the those were encrypted, though that's likely little solace for the 16,000 people whose card details were stolen in plain-text form.

Skype's massive security flaw

Lax account recovery procedures threatened Skype users in November.

In November, Skype users temporarily lost the ability to request a password reset for their account after researchers identified an exploit that allowed anybody to gain access to a Skype account as long as the person knew the email address associated with the account. Not the account password, not the security questions—just the simple email address alone.

Skype quickly plugged the hole when it caught the public eye, but the damage had already been done. The vulnerability was floating around on Russian forums and actively being used in the wild before it was shut down.

Fortunately, the breach was fairly contained. Global Payments was able to identify the card numbers affected by the hack, and the data stolen only contained the actual card numbers and expiration dates, not any cardholder names or personally identifiable information. The hits kept coming, though. In June, Global Payments announced that hackers may have stolen the personal information of people who applied for a merchant account with the company.

Microsoft Security Essentials fails AV-Test certification

Well, isn't this embarrassing. AV-Test is an independent information security institute that regularly rounds up all the top antimalware products that are out there, tosses a whole bunch of nasties at said products, and sees how the various solutions hold up under the withering barrage. The organization did just that with 24 different consumer-focused security solutions at the end of November, and only one of those solutions failed to meet AV-Test's certification standard: Microsoft Security Essentials for Windows 7.

That one without a certification logo? It's MSE.

MSE actually did a decent job tackling well-known viruses in the test, but the security program provided appallingly little, well, securityin the face of zero-day exploits. Its 64 protection score against said zero-day attacks is a full 25 points lower than the industry average.

The blunder that wasn't: Norton source code released

It sounds scary on the surface: Groups of rogue hackers managed to get the source code for one of Symantec's popular Norton security utilities, then dumped the code on Pirate Bay for the world to dissect. Oh, noes! Now, nothing can stop the bad guys from running willy-nilly past the defenses that comes preinstalled on gajillions (approximately) of boxed systems sold throughout the world—right?

Wrong. The source code belonged to Norton Utilities products released in 2006, you see, and Symantec's current products have since been rebuilt from the ground up, with no common code shared between the two. In other words, the 2006 source code's release doesn't pose any whatsoever risk to modern-day Norton subscribers—at least if you've updated your antivirus in the past half-decade.

Brad Chacos Senior Editor

Brad Chacos spends the days jamming to Spotify and digging through desktop PCs. He covers the gaming, graphics cards, and how-to beats for PCWorld, and spends his mornings running the news desk for PCWorld, Macworld, Greenbot, and TechHive.More by Brad Chacos